Siemens SCALANCE X Switches (Update B)

Plan PatchCVSS 9.1ICS-CERT ICSA-21-012-02Jan 12, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE X switches do not generate a unique random key after factory reset and instead use a hardcoded private key that is shipped with the firmware. This hardcoded key is the same across all devices of the same model and firmware version. An attacker who obtains or derives this private key can decrypt TLS/HTTPS traffic to the device, impersonate the switch, or intercept and modify encrypted management communications. The vulnerability affects the X-200, X-200IRT, X-200RNA, and X-300 switch families across multiple firmware versions. Siemens has released patched firmware versions that generate unique keys during initialization.

What this means

What could happen

An attacker with network access to a SCALANCE X switch could intercept encrypted communications using the hardcoded private key shipped in the firmware, potentially allowing them to impersonate the switch, intercept configuration traffic, or modify network behavior without authentication.

Who's at risk

Water authorities and electric utilities using Siemens SCALANCE X managed Ethernet switches in their control networks should care. This affects SCALANCE X-200, X-200IRT, X-200RNA, and X-300 switch families (including industrial SIPLUS NET variants). Any switch running firmware versions before the patched versions is at risk if connected to a network where an attacker could capture management traffic.

How it could be exploited

An attacker with network access to the switch can capture encrypted traffic (such as HTTPS or TLS connections to the web interface or management port 502). Because all devices ship with the same private key, the attacker can use publicly known key material to decrypt this traffic, extract credentials, or forge certificates to impersonate the device and inject malicious commands into network streams.

Prerequisites

Network access to the SCALANCE X switch (typically management ports like 80/443 or Modbus TCP port 502)
Ability to capture encrypted traffic or initiate TLS connections to the device
Knowledge of the hardcoded private key (which is shipped in all firmware images and publicly documented in Siemens advisory SSA-274900)

Remotely exploitableNo authentication required if traffic is intercepted passivelyLow complexity attack (uses publicly documented key material)Affects network infrastructure and potentially safety system communicationsHigh CVSS score (9.1) reflects confidentiality and integrity impact

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SCALANCE X-200 switch family (incl. SIPLUS NET variants)<V5.2.55.2.5

SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)<V5.5.05.5.0

SCALANCE X-200RNA switch family<V3.2.73.2.7

SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)<V4.1.04.1.0

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDReplace the default self-signed X.509 certificates with your own trusted certificates (remove certificates with SHA-1 fingerprint F2:C8:3B:8F:86:27:74:AA:60:EC:D4:A0:CF:0D:BE:A6:D1:FE:22:12 and SHA-256 fingerprint 25:60:DB:B3:F9:07:9D:69:0E:DD:A9:EB:4E:1C:D5:8E:AF:79:16:C3:C8:13:A6:F6:59:AD:05:E4:6F:77:F7:72)

HARDENINGRestrict network access to management ports (80, 443, 502) using firewall rules and access control lists; allow only authorized engineering workstations and network management servers

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 switches (including SIPLUS NET variants) to firmware version 5.2.5 or later

HOTFIXUpdate SCALANCE X-200IRT switches (including SIPLUS NET variants) to firmware version 5.5.0 or later

HOTFIXUpdate SCALANCE X-200RNA switches to firmware version 3.2.7 or later

HOTFIXUpdate SCALANCE X-300 switches (including X408 and SIPLUS NET variants) to firmware version 4.1.0 or later

Long-term hardening

0/1

HARDENINGSegment SCALANCE X switches onto protected management networks isolated from untrusted networks and external internet access

CVEs (2)

CVE-2020-28391 CVE-2020-28395

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/02ac4ef4-fd81-40a3-a3d5-94e2f4bf390c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.